The branch master has been updated via 0e76014e584ba78ef1d6ecb4572391ef61c4fb51 (commit) from 86334b6a61b35a3f3d487cc0eb74ac1aff79d185 (commit)
- Log ----------------------------------------------------------------- commit 0e76014e584ba78ef1d6ecb4572391ef61c4fb51 Author: Viktor Dukhovni <openssl-us...@dukhovni.org> Date: Sun Jan 17 02:33:14 2016 -0500 Drop cached certificate signature validity flag It seems risky in the context of cross-signed certificates when the same certificate might have multiple potential issuers. Also rarely used, since chains in OpenSSL typically only employ self-signed trust-anchors, whose self-signatures are not checked, while untrusted certificates are generally ephemeral. Reviewed-by: Dr. Stephen Henson <st...@openssl.org> ----------------------------------------------------------------------- Summary of changes: crypto/include/internal/x509_int.h | 1 - crypto/x509/x509_vfy.c | 6 +----- crypto/x509/x_x509.c | 1 - 3 files changed, 1 insertion(+), 7 deletions(-) diff --git a/crypto/include/internal/x509_int.h b/crypto/include/internal/x509_int.h index 5997a21..c11d3b3 100644 --- a/crypto/include/internal/x509_int.h +++ b/crypto/include/internal/x509_int.h @@ -192,7 +192,6 @@ struct x509_st { X509_CINF cert_info; X509_ALGOR sig_alg; ASN1_BIT_STRING signature; - int valid; int references; char *name; CRYPTO_EX_DATA ex_data; diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 48d9367..ec9c321 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -1618,9 +1618,7 @@ static int internal_verify(X509_STORE_CTX *ctx) * explicitly asked for. It doesn't add any security and just wastes * time. */ - if (!xs->valid - && (xs != xi - || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) { + if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) { if ((pkey = X509_get0_pubkey(xi)) == NULL) { ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; ctx->current_cert = xi; @@ -1636,8 +1634,6 @@ static int internal_verify(X509_STORE_CTX *ctx) } } - xs->valid = 1; - check_cert: ok = x509_check_cert_time(ctx, xs, 0); if (!ok) diff --git a/crypto/x509/x_x509.c b/crypto/x509/x_x509.c index 4733321..53a5eb7 100644 --- a/crypto/x509/x_x509.c +++ b/crypto/x509/x_x509.c @@ -90,7 +90,6 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, switch (operation) { case ASN1_OP_NEW_POST: - ret->valid = 0; ret->name = NULL; ret->ex_flags = 0; ret->ex_pathlen = -1; _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits